9.0.2 (2024-02-27)
Implemented enhancements:
- Ansible Linting #747
- Make value of kernel.unprivileged_userns_clone depending on kernel version #727
Fixed bugs:
- harden permissions for directory mount /var/log fails for minimized Ubuntu 22.04 #741
Closed issues:
- Dependency Dashboard #655
Merged pull requests:
- Update dependency ansible-core to v2.16.4 #751 (renovate[bot])
- Update ansible/ansible-lint action to v24 #745 (renovate[bot])
- Always update Vagrant Boxes before using #744 (schurzi)
- Remove Docker containers on self-hosted runner after tests #743 (schurzi)
- Update dependency ansible-core to v2.16.3 #742 (renovate[bot])
9.0.1 (2024-01-15)
Implemented enhancements:
- Extend ansible-lint testing to cover our test cases #731
- Complete tests for OS hardening #660
- support restarts of audit service on Arch linux #722 [os_hardening] (schurzi)
Fixed bugs:
- Fails to install #735
- Amazon Linux gpg check fails #734
- ssh_hardening ipv6 #719
- boolean variable inconsistency? #330
- Restore idempotency for disabling unused filesystems with Ansible 2.16.0 #718 [os_hardening] (akikanellis)
Closed issues:
- 9.0.0 version number in galaxy.yml file is wrong #740
Merged pull requests:
- restructure readme to move known limitations up top #739 [os_hardening] [ssh_hardening] (rndmh3ro)
- release only on releases, not pre-releases #738 (rndmh3ro)
- Update dependency ansible-core to v2.16.2 #737 (renovate[bot])
- fix linting for github config #736 (rndmh3ro)
- Update actions/setup-python action to v5 #733 (renovate[bot])
- Update ansible-lint action and revise configuration to scan all Ansible code #732 (schurzi)
- update labeler to new config format #730 [ssh_hardening] (schurzi)
- Update dependency ansible-core to v2.16.1 #728 [os_hardening] (renovate[bot])
- pin Ansible to always let Renovate update to the most current version in our tests #721 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
9.0.0 (2023-11-16)
Breaking changes:
- make it possible to configure more then yes and no for PermitTunnel #715 [ssh_hardening] (rndmh3ro)
- add role argument spec for os, ssh, mysql #687 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
Implemented enhancements:
- Create role documentation with Automated-Ansible-Role-Documentation #694
- Minimize access user paths should be fully configurable #689
- Add support for Debian 12 #672
- add testing and support for current versions of Fedora and FreeBSD #709 [os_hardening] [ssh_hardening] (schurzi)
- feat: workflow for roles readme #705 [ssh_hardening] (Nemental)
- do not try to drop roles in mysql hardening #649 [mysql_hardening] (rndmh3ro)
Fixed bugs:
- nginx conf.d directory is missing on Rocky Linux 8 #707
- Default value of
ssh_client_alive_interval
is inconsistent with what documentation says #701 - [devsec.hardening.os_hardening : restart-auditd] fails #698
- sshd_hardening role cannot be used to build system images #697
- Error: No file was found when using first_found on Ubuntu 20.04 #676
- PUBLIC-role breaks mysql-hardening #648
- Error deploying the playbook #630
- Gather facts when os_hardening role is executed with tags #708 [os_hardening] (schurzi)
Closed issues:
- Add send-to-mailinglist to github release action #434
Merged pull requests:
- update status badges in README #714 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix CI test for os_hardening #711 [os_hardening] (schurzi)
- fix nginx CI tests #710 [nginx_hardening] (schurzi)
- fix: roles-readme action default value #706 [ssh_hardening] (Nemental)
- fix some wrong defaults and types in the readmes #703 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- update links to new Ansible Galaxy #702 [nginx_hardening] (schurzi)
- Fix typo in login.defs.j2 #700 [os_hardening] (nejch)
- chore(deps): update actions/checkout action to v4 #696 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (renovate[bot])
- test debian12 on VM #695 (rndmh3ro)
- fix descriptions in readme #693 [os_hardening] (rndmh3ro)
- feat: customize user paths default #692 [os_hardening] (S0obi)
- disable PAM tests #691 [os_hardening] (rndmh3ro)
8.8.0 (2023-08-04)
Implemented enhancements:
- Add support for Fedora 38 #671
- auditd: add possibility to override config template #685 [os_hardening] (Meecr0b)
- add debian 12 support #684 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- feat: explicitly support Fedora 37 and 38 #682 [os_hardening] [ssh_hardening] (nejch)
- Replace ssh_keys group with root, where applicable and use less permissive file mode #677 [ssh_hardening] (rndmh3ro)
- Add oddjob mkhomedir option rhel pam #675 [os_hardening] (imp1sh)
Fixed bugs:
- How does one set
sshd_authenticationmethods
to include password authentication? #686 - FreeIPA environment mkhomedir fails #664
Closed issues:
- What is the uscase of sysctl_overwrite over ansible.posix.sysctl? #683
Ensure permissions on mysql-logfile are correct
chokes whenlog_error
is set tostderr
#673- TASK TASK FAILED: [devsec.hardening.os_hardening : Set password ageing for existing regular (non-system, non-root) accounts] #670
- After os_hardening ssh not working #663
- Unsupported parameters for (ansible.builtin.user) module #650
Merged pull requests:
- setting gets ignored #680 [os_hardening] (rndmh3ro)
- add var-naming[no-role-prefix] to skip-list #679 (rndmh3ro)
- expand on check conditions for non-file locations of logs #674 [mysql_hardening] (whysthatso)
- use new molecule-plugins #667 (schurzi)
- add spellchecking with codespell #662 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
8.7.0 (2023-04-12)
Implemented enhancements:
- Support BSD and other operating systems CI with VM based tests #599
- add check mode to molecule tests #644 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- add testing for OpenBSD and FreeBSD #642 [ssh_hardening] (schurzi)
- Only skip audit restart handler in docker #637 [os_hardening] (nejch)
- Make action_mail_acct configurable in auditd #631 [os_hardening] (nejch)
Fixed bugs:
- getent task is skipped if user previously ran it with a key parameter #646
- Error running devsec.hardening.os_hardening role #645
- devsec.hardening.mysql_hardening - Get all users that have no authentication_string - Hello world #640
- fixes #646 - add another condition to getent task #647 [os_hardening] (gbolo)
Closed issues:
- Invalid login.defs for RHEL6 #651
- Deprecation warnings for os_hardening #638
- Write tests for MySQL user-deletion #445
Merged pull requests:
- Update minimum required Ansible version for os_hardening #657 [os_hardening] [ssh_hardening] (schurzi)
- Update test environment #656 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Update dependency geerlingguy.git to v3.0.1 #654 [mysql_hardening] (renovate[bot])
- Configure Renovate #653 (renovate[bot])
- simplify MySQL queries for user deletion #641 [mysql_hardening] (schurzi)
- Bump creyD/prettier_action from 4.2 to 4.3 #639 (dependabot[bot])
- Fix molecule tests for EL7 #636 [mysql_hardening] (rndmh3ro)
- run our CI tests periodically #634 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- try to fix molecule local tests #632 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- remove unnecessary tasks for VM based test #629 [os_hardening] (schurzi)
8.6.0 (2023-02-04)
Implemented enhancements:
- make number of warning days before user password expires configurable #628 [os_hardening] (Normo)
Merged pull requests:
- Bump hugo19941994/delete-draft-releases from 1.0.0 to 1.0.1 #627 (dependabot[bot])
8.5.0 (2023-01-30)
Implemented enhancements:
- Add support for /etc/auditd.conf num_logs to go with max_log_file_action #616
- password ageing not enforced #570
- Rewrite system account detection and hardening and create tests #621 [os_hardening] [ssh_hardening] (rndmh3ro)
- Add support for /etc/auditd.conf num_logs to go with max_log_file_action #617 [os_hardening] (richardlock)
- Preserve default ownership and dir mode for /var/log on Ubuntu #615 [os_hardening] (stdtom)
- rewrite user home dir hardening #584 [os_hardening] (DonEstefan)
- apply password age settings to existing regular users #582 [os_hardening] (DonEstefan)
- Parametrize more auditd.conf options #535 [os_hardening] (kravietz)
Fixed bugs:
- os_hardening is setting wrong ownership for /var/log on Ubuntu #614
- [os_hardening] Task for setting
initramfs
modules does not match its condition #590 [os_hardening] - Support for Amazon Linux 2 #624 [ssh_hardening] (mmitnyan)
Deprecated:
- deprecate rebuilding of initramfs #618 [os_hardening] (rndmh3ro)
Closed issues:
- Ubuntu 22.04 vars file missing? #619
- SSH KexAlgorithms causes SSH daemon to fail #500
- Playbook won't run for hardening #462
Merged pull requests:
- do not let dependabot label our prs #626 (rndmh3ro)
- run linting only when files inside roles change #625 (rndmh3ro)
- cancel running tests if new commit to branch is made #622 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Fixed problems with running molecule locally with cgroup v2 #620 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Bump actions/setup-python from 1 to 4 #611 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (dependabot[bot])
- Bump creyD/prettier_action from 3.1 to 4.2 #610 (dependabot[bot])
- linting #603 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
8.4.0 (2022-12-17)
Implemented enhancements:
- Implement Test for MySQL systemd service #606
- Extended net hardening #607 [os_hardening] (DonEstefan)
- Add OpenSUSE support #605 [mysql_hardening] (rndmh3ro)
- Allow ssh_allow_tcp_forwarding to be a boolean #600 [ssh_hardening] (crisbal)
- OpenBSD does not support GSSAPI Authentication #598 [ssh_hardening] (dennisse)
- add Ansible specific templates for issues #596 (schurzi)
- use github templates for new issues #595 (schurzi)
Fixed bugs:
- os_auth_retries variable causes a comparison type error on pam tasks #593
- ssh_hardening: Install selinux dependencies fails on Oracle Linux (RHEL) 9 #585
- OpenBSD does not set distributiuon_major_version #597 [ssh_hardening] (dennisse)
Merged pull requests:
- Check for github action updates daily #609 (jlosito)
- add verify-task to check if mysql is running and enabled #608 [mysql_hardening] (rndmh3ro)
- Updates handlers for new ansible syntax and deprecated options for legacy commands #602 [os_hardening] (jsievertde)
- add notice to sign-off work to contributor guideline #601 (schurzi)
8.3.0 (2022-10-27)
Implemented enhancements:
- add hardening of root user account(s) #579 [os_hardening] (DonEstefan)
Fixed bugs:
- cast expected int types in pam tasks #594 [os_hardening] (dlouzan)
- do not manage trusted user ca keys if none exist #580 [ssh_hardening] (hollow)
Closed issues:
- Trying to run the os_hardening on Debian 11, but fails on privilege escalation #587
- auditd increasing logfiles #586
- Path to nginx.conf should be configurable in a variable #577
Merged pull requests:
- adopt all current suggestions from ansible-lint #592 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
- Support more os #588 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- run tests only on pushes to master or to PRs #581 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
8.2.0 (2022-09-08)
Implemented enhancements:
- Add nginx variables for config-path and owner/group #578 [nginx_hardening] (hagenbauer)
- add centos >8 Support #573 [ssh_hardening] (sbaerlocher)
- add always-tag to include so other tags can be used #569 [os_hardening] (rndmh3ro)
Closed issues:
- Bug using os_hardening "tags" #567
8.1.0 (2022-08-26)
Closed issues:
- dev-sec CI bot should not update CHANGELOG.md in fork repository #566
Merged pull requests:
- update supported OS in meta and fix linting #572 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- fix misleading comment #571 [os_hardening] (DonEstefan)
- only run release actions on upstream-repo #568 (rndmh3ro)
8.0.0 (2022-08-22)
Breaking changes:
- change default to allow SFTP #564 [ssh_hardening] (schurzi)
Implemented enhancements:
- add possibility to keep .netrc files in users homedir #563 [os_hardening] (PhilippFunk)
- rework filesystem hardening #555 [os_hardening] (divialth)
Closed issues:
- Error in Task 'Create sshd_config and set permissions to root/600' #565 [ssh_hardening]
- [ssh_hardening] Debian 11 - Ansible cannot transfer files #557
- Add the old SFTP-Reminder to the stable ssh_hardening role for ansible #521
7.16.0 (2022-08-16)
Implemented enhancements:
- revert debian 9 change, only one tls variable now #562 [nginx_hardening] (rndmh3ro)
- add possibility to run ssh_hardening as unprivileged user #561 [ssh_hardening] (schurzi)
- add basic support for ubuntu22.04 #554 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Add full support for Debian 11 #538 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (addianto)
Fixed bugs:
- Replace default 2048 bits RSA keypair fails on Ubuntu 20.04 #459
Closed issues:
- os-hardening: yum gpg-check fails if gpg-check already set #556
- Ubuntu 22.04 LTS #553
- Revert nginx ssl-protocol after deprecation of debian9 #528
- Support for Debian 11 #527
- Support baseline-control os-14 #507
7.15.1 (2022-07-26)
Fixed bugs:
- Fix broken mode for /var/log/audit #552 [os_hardening] (hollow)
Merged pull requests:
- Only run hardening if /var/log/audit exists #550 [os_hardening] (mego22)
7.15.0 (2022-07-11)
Implemented enhancements:
- Harden mountpoints #531 [os_hardening] (lbayerlein)
Fixed bugs:
- os_hardening gpg-check enabled fails on success #549 [os_hardening]
- add VM tests for os_hardening #547 [os_hardening] (schurzi)
- Linting #546 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
7.14.3 (2022-06-29)
Closed issues:
- Version 7.14.2 not released to Ansible Galaxy #544
- os_hardening role: os_ignore_users not described in the Readme's variable topic #542
- doc: incorrect description for ssh_client_alive_count #540
- 'legacy' branch is mentioned in README, but apparently doesn't exist #539
- ansible_role_name is undefined #532
- Can't sudo anymore after hardening #518
- Any planned official support for RHEL/CentOS Stream 9? #517
Merged pull requests:
- Improve documentation #541 [ssh_hardening] (schurzi)
7.14.2 (2022-02-28)
Fixed bugs:
- debian 9's nginx doesn't support tls1.3 #526 [nginx_hardening] (rndmh3ro)
- Change permissions of the tmout.sh file #520 [os_hardening] (abejotaR)
Closed issues:
- No such file directory error triggered by the kernel.unprivileged_userns_clone configuration. #514
Merged pull requests:
- delete obsolete release drafts #530 (schurzi)
- add waivers to skip controls #529 [os_hardening] (rndmh3ro)
- remove centos8 tests #525 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
7.14.1 (2022-02-18)
Fixed bugs:
- move sysctls to debian specific vars #524 [os_hardening] (rndmh3ro)
Closed issues:
- Error when using the ssh_hardening role #519
7.14.0 (2021-12-16)
Implemented enhancements:
- Add option to set timeout in seconds to logout users #516 [os_hardening] (lbayerlein)
- add feature to disable coredump to limit task #511 [os_hardening] (lbayerlein)
- change hidepid mount task state to mounted #510 [os_hardening] (alegrey91)
- prettify nginx options #509 [nginx_hardening] (schurzi)
- Update nginx_add_header README to match default #506 [nginx_hardening] (duffn)
- Updated dh_params to 4096 #501 [nginx_hardening] (ksaadDE)
Fixed bugs:
- Duplication of sysctl default parameter fs.protected_hardlinks and fs.protected_symlinks #502
- Fix duplicate sysctl config in fs #505 [os_hardening] (tekicat)
Merged pull requests:
- Feature coredump #513 [os_hardening] (rndmh3ro)
7.13.2 (2021-11-23)
7.13.1 (2021-11-23)
Closed issues:
- Unable to use 7.13.0 Release #503
7.13.0 (2021-11-15)
Implemented enhancements:
- os_hardening: Provide a whitelist for yum repositories with non-signed RPMs #485
- Disable ctrl-alt-del key combination #496 [os_hardening] (lbayerlein)
- implement sysctl-34 - link protection settings #494 [os_hardening] (rndmh3ro)
- Add whitelist option for yum repository files #487 [os_hardening] (darxriggs)
- Add TLSv1.3 to nginx default configuration #470 [nginx_hardening] (ksaadDE)
Closed issues:
- Please create the collection in ansible-galaxy #407
Merged pull requests:
- Improve testing: install packages on Arch Linux #499 [os_hardening] [ssh_hardening] (darxriggs)
- add old role names to tags in Galaxy #495 (schurzi)
- update minimum ansible version for roles #493 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- revive old tests with custom ssh settings #491 (rndmh3ro)
7.12.0 (2021-10-21)
Implemented enhancements:
- feat(os_hardening): extend file permission tasks to cover more files #489 [os_hardening] (cmhe)
Fixed bugs:
- mysql remove deprecated 'secure_auth' parameter in mysql #346
- change baseline urls to full zip-url #490 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- fix filter error in ansible.builtin.file mode parameter #486 [ssh_hardening] (ssttehrani)
Closed issues:
- Extend os_hardening minimize_access task to cover additional passwd/group/shadow/gshadow paths #488
- postgresql_hardening role #484
- os_hardening fails on "Create a combined sysctl-dict if overwrites are defined" task #482
- Improve changelog generation #381
7.11.0 (2021-08-30)
Implemented enhancements:
- Use
log_error
file anddatadir
from mysql_info settings instead of variablesmysql_datadir
andmysql_hardening_log_file
#478 [mysql_hardening] (123quhiwiwk) - Execute check of MySQL error logfile permissions on Debian 11 only when log_error is defined #477 [mysql_hardening] (123quhiwiwk)
- [mysql_hardening] Setup defaults for MySQL on FreeBSD #474 [mysql_hardening] (sdwilsh)
Closed issues:
- MariaDB hardening fails, because log_error file is missing [Debian 11] #476
Merged pull requests:
- ssh_allow_tcp_forwarding is not a boolean #480 [ssh_hardening] (ReinerNippes)
- chore(ssh_hardening): set min_ansible_version to >=2.9.10 #479 [ssh_hardening] (bufferoverflow)
7.10.0 (2021-08-15)
Implemented enhancements:
- use Ansible lint in separate task #475 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- [mysql_hardening] Allow setting the mysql_distribution #473 [mysql_hardening] (sdwilsh)
Fixed bugs:
- mysql_hardening cannot work with mysql on freebsd #472
Closed issues:
- run ansible-lint only once in Github Actions #398
Merged pull requests:
- SSH Hardening: backtick typo #471 [ssh_hardening] (Slamdunk)
- fix license in galaxy #469 (rndmh3ro)
7.9.0 (2021-07-22)
Implemented enhancements:
- Allow configuration of password remember in pam #467 [os_hardening] (m41kc0d3)
- Add CVE-2021-33909 mitigations #466 [os_hardening] (kravietz)
- Add SUB_UID_MIN/MAX/COUNT, SUB_GID_MIN/MAX/COUNT #463 [os_hardening] (elgalu)
- Add os_auth_uid_max, os_auth_gid_max #461 [os_hardening] (elgalu)
Closed issues:
- MySQL hardening fails because of missing attribute #464
- add "when" statements for every import_tasks in hardening.yml #453
Merged pull requests:
7.8.0 (2021-07-01)
Implemented enhancements:
- SHA_CRYPT_MIN_ROUNDS should be increased in login.defs #365 [os_hardening]
- Add support for Rocky Linux 8 #454 [mysql_hardening] [os_hardening] [ssh_hardening] (sherwind)
- make sha rounds configurable and increase no of rounds #452 [os_hardening] (rndmh3ro)
Fixed bugs:
- add tag always to os dependent vars task #456 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
- Use
include_tasks
for os_hardening/main.yml #451 [os_hardening] (coadler)
Closed issues:
- Disable IPv6 | sysctl-18 net.ipv6.conf.all.disable_ipv6: 1 #406 [os_hardening]
Merged pull requests:
- Cleanup old OS-support and simplify vars #458 [os_hardening] [ssh_hardening] (rndmh3ro)
- add rocky linux 8 tests and make sure that all relevant tasks are execd #457 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- add "when" statements in hardening.yml(#453) #455 [os_hardening] (jqiuyin)
- enable ipv6 globally #450 [os_hardening] [ssh_hardening] (rndmh3ro)
7.7.0 (2021-05-24)
Implemented enhancements:
- Add tasks for new controls #123
- ssh_allow_tcp_forwarding remote option added #447 [ssh_hardening] (alimli)
Fixed bugs:
- Warning: iptables-legacy tables present, Debian 10 #274
- Check for MariaDB Version when selecting users without passwords #444 [mysql_hardening] (neubi4)
- Adds dependency on ansible.posix and community.general #415 (irl)
Closed issues:
- No dependency on ansible.posix collection #414
- No dependency on community.general #413
- in lxc/docker/openvz IPv6 is always disabled by ufw-configuration #402
- Allow login_unix_socket to be specified #327
Merged pull requests:
- Removed sysctl that tries to disable IPv6 #449 [os_hardening] (lduesing)
- limit changelog labels to role names #448 (schurzi)
- add back labels to changelog #446 (rndmh3ro)
7.6.0 (2021-04-27)
Implemented enhancements:
- ssh: Client HostKeyAlgorithms configuration variable #442 [ssh_hardening] (sepek)
Fixed bugs:
- mysql USER and HOST should be quoted for drop query #443 [mysql_hardening] (neubi4)
Closed issues:
- Support HostKeyAlgorithms configuration for ssh_client file #441
Merged pull requests:
- fixed a typo in comments #439 [ssh_hardening] (ssttehrani)
7.5.0 (2021-04-01)
Implemented enhancements:
- Not accepting source routing for IPv6. This was already done for IPv4. #424 [os_hardening] (joubbi)
Fixed bugs:
- SSH kex [email protected] replaced #433
- Fix ssh kex [email protected] for openssh >= 8.5 #437 [ssh_hardening] (BenjaminBoehm)
Closed issues:
- Harden user home directories #276
Merged pull requests:
- remove secure-auth param if mysql >= 8.0.3 #438 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Improved comments. #436 [os_hardening] (joubbi)
- os_auth_pam_pwquality_options: Changed type to authtok_type #432 [os_hardening] (joubbi)
- add restart-auditd handler after configuration change #427 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- add new tasks to delete mysql users without passwords #423 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Uppercased first letter of task names. #422 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (joubbi)
7.4.0 (2021-03-23)
Implemented enhancements:
- Harden user home dirs #428 [os_hardening] (rndmh3ro)
Closed issues:
- Errors in packer build for vagrant builder #244
Merged pull requests:
- Use pam_pwhistory.so instead of pam_unix.so for remembering old passwords #431 [os_hardening] (joubbi)
- Remove comments from PAM config file, but keep it in the template #430 [os_hardening] (joubbi)
- add support for using a proxy to test with molecule #429 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (rndmh3ro)
- Improve Documentation for sysctl defaults #418 [os_hardening] (joubbi)
7.3.0 (2021-03-16)
Implemented enhancements:
- pam_tally2 is deprecated in RHEL8 and pam_faillock should be used in EL7 and EL8 instead. #377 [os_hardening]
- Replace pam_tally2 with pam_faillock in Redhat #273 [os_hardening]
- Extend GSSAPI configuration support to ssh_config #403 [ssh_hardening] (wzzrd)
- add restart handler variable for mysql role #399 [mysql_hardening] (rndmh3ro)
- restructure PAM handling and update for currently supported Linux distributions #392 [os_hardening] (schurzi)
Fixed bugs:
- Not able to use
sudo
command for user authenticated via ActiveDirectory #278 [os_hardening] - You shouldn't touch /etc/pam.d/system-auth-ac in RedHat/CentOS #252 [os_hardening]
Closed issues:
- Netdata monitoring of docker in docker no longer possible #412
- Unable to connect with SSH (Permission denied (publickey)) #411
- TASK [os_hardening : configure auditd | package-08] #410
- Collection throws undefined ansible_role_name error in auditd task #409
- Ensure permissions on /etc/crontab are configured #375 [os_hardening]
- Documentation should be updated #361
Merged pull requests:
- Improve Release Action #421 (schurzi)
- remove FQCN from roles in examples #420 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- Ensure permissions on /etc/crontab are configured #405 [os_hardening] (joubbi)
- remove FQCN from roles in examples #404 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- do not install mysql python package on target host #401 [mysql_hardening] (rndmh3ro)
- make wrong password fail task #400 [mysql_hardening] (rndmh3ro)
7.2.0 (2021-02-10)
Implemented enhancements:
- Add variable to specify SSH host RSA key size #394 [ssh_hardening] (Normo)
- Set default for ssh host key files only when hardening the server #393 [ssh_hardening] (Normo)
Fixed bugs:
- A reason why instance would go in rescue mode ? #267
- fix galaxy action to update local galaxy.yml #395 (Normo)
Closed issues:
- Updating version in galaxy.yml should be part of the release process #396
- ssh_hardening fail on keypair generation #388
- The system must display the date and time of the last successful account logon upon an SSH logon. #362
- Error in "root password is present" step #326
Merged pull requests:
- update ansible-lint to version 5 #397 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (schurzi)
- fix minimum required ansible version in docs #390 (schurzi)
7.1.1 (2021-02-05)
Fixed bugs:
- use fqcn for community.crypto.openssh_keypair module #389 [ssh_hardening] (schurzi)
Closed issues:
- AnsibleUndefinedVariable: 'ansible_role_name' is undefined with 7.1.0 #387
7.1.0 (2021-02-02)
Implemented enhancements:
- Default value for ssh_max_startups should be changed #366 [ssh_hardening]
- Comment in configuration files should state which collection was there #345
- Error on applying the sysctl vars on Debian Jessy #230
- add Support for OpenSSH HostCertificate config option #380 [ssh_hardening] (mpraeger)
- Syncookie #372 [os_hardening] (joubbi)
- Sorted sysctl values and lists in READMEs alphabetically (No functional changes). #371 [os_hardening] (joubbi)
- make auditd 'max_log_file' configurable #370 [os_hardening] (tgueldner-mms)
- reduce maximum unauthenticated ssh sessions #368 [ssh_hardening] (schurzi)
- add a runtime.yml to declare minimum ansible version #363 (rndmh3ro)
- change inclusion of os specific defaults #353 [mysql_hardening] [os_hardening] [ssh_hardening] (schurzi)
- make the os_env_umask variable usable #351 [os_hardening] (sprat)
- Fix #348: make ssh configuration files paths configurable #350 [ssh_hardening] (sprat)
- Removed Protocol statement in later versions of sshd, since the code … #342 [ssh_hardening] (joubbi)
- Improvements of comments in opensshd.conf.j2 #338 #339 [ssh_hardening] (joubbi)
Fixed bugs:
- Comments in opensshd.conf.j2 should be improved #338
- check for correct cpu vendor in initramfs-tools #374 [os_hardening] (schurzi)
- set hidepid=0 on RHEL/CentOS 7 #369 [os_hardening] (schurzi)
Closed issues:
- initramfs-tools modules.j2 does not seem to be able to detect AMD CPUs #373
- How do i install this on Centos 8? #367
- hidepid=2 gives error when running systemctl on EL7 #364 [os_hardening]
- Allow putting the ssh/sshd config in alternative files #348
- os_env_umask has no effect #344
- Don't modify /etc/sysctl.conf #343 [os_hardening]
Merged pull requests:
- use version tag for changelog action #386 (schurzi)
- make release workflow manually runnable #384 (schurzi)
- run labeler workflow with higher privileges #383 (schurzi)
- remove issue labels from changelog #382 (schurzi)
- Added comment on top of templates about which role manages the file #378 [mysql_hardening] [os_hardening] [ssh_hardening] [nginx_hardening] (joubbi)
- Regenerate RSA key with size 4096 bits #376 (ssttehrani)
- fix second changelog generation task, too #349 (rndmh3ro)
- fix changelog generation #341 (rndmh3ro)
- Improve README for ssh_hardening #335 [ssh_hardening] (szEvEz)
7.0.0 (2020-11-11)
Breaking changes:
Implemented enhancements:
- Breaking change in ansible-lint - set file permissions explicitly #299 [os_hardening]
- Configure audit=1 for more accurate auid auditing #253
- Add Debian Buster support for ansible-os-hardening #233
- Add CentOS 8 support for ansible-os-hardening #232
- Speed up "minimize access on found files" task #208
- Fedora support? #163
- Update some RH settings in this role #155
- Add selinux configuration #154
- Warning about "include" for tasks for ansible-playbook 2.4.0 (devel f0a5854e39) #131
- Removal of core dump hardening configuration if core dumps are allowed #129
- Description of the Ansible roles of dev-sec says "This Ansible playbook" #97
- Improve Documentation #315 [os_hardening] (schurzi)
- Arch support #303 [os_hardening] (rndmh3ro)
- fix linting for molecule #301 [os_hardening] (schurzi)
- file permissions explicitly defined #300 [os_hardening] (danielkubat)
- Optimize and unify when clause #295 (Alexhha)
- use find module instead of shell #294 (danielkubat)
- improve testing #287 (schurzi)
- Mount proc filesystem using hidepid option #283 (alegrey91)
- unify changelog and release actions #279 (rndmh3ro)
- purge insecure packages #275 (chris-rock)
- add changelog and release workflow #271 (rndmh3ro)
- github action for changelog generation #270 (rndmh3ro)
- Make useradd defaults in login.defs dependent on OS #266 (aisbergg)
- Add kernel hardening parameters from Tails and CIS Benchmark #263 (kravietz)
- add ansible-lint #262 (rndmh3ro)
- Remove trailing space #261 (kravietz)
- Add kernel parameter information to README #259 (jaredledvina)
- Remove trailing whitespaces (ansible-lint 201) #254 (kravietz)
- Standardize the var ordering #251 (dustinmiller)
- Add initial support for OpenSUSE #250 (dustinmiller)
- Make max_log_file_action for auditd configurable #246 (jandd)
- Add exception in sysctl task #240 (ghost)
- Fedora - Use new auto ansible_python_interpreter for dnf #239 (jaredledvina)
- add test support for CentOS8 #237 (yeoldegrove)
- Support configuring SELinux and default to enforcing #236 (jaredledvina)
- Add test support for debian buster #234 (123Haynes)
- Changed local var name to a less common one #231 (rgarrigue)
- Use ansible facts for vars #226 (joshuatalb)
- Fix deprecation warnings in Ansible 2.8 #224 (Normo)
- add docs to find-task in minimize access. fix #219 #220 (rndmh3ro)
- remove eol'd OS and add new #217 (rndmh3ro)
- Add note about docker under warning #214 (ChrisMcKee)
- change minimize access tasks to speed them up #209 (rndmh3ro)
- Added fedora support #206 (jonaswre)
- Pass package list directly to apt and yum modules without using with_items loop #200 (Normo)
- add ubuntu 1804 support #196 (rndmh3ro)
- add option to disable auditd #192 (rndmh3ro)
- fix problems with efi and vfat #190 (rndmh3ro)
- added os_hardening_enabled flag #186 (jcheroske)
- add amazon run opts to travis #183 (rndmh3ro)
- use package instead of yum and apt #180 (rndmh3ro)
- add oracle7 to travis #178 (rndmh3ro)
- fix wrong permissions passwdqc #170 #176 (rndmh3ro)
- ipv4 forwarding comment is inconsistent with example #174 (carchrae)
- Rename pam_passwdqd.j2 to pam_passwdqc.j2 #172 (martinbydefault)
- Use package state 'present' since 'installed' is deprecated #168 (Normo)
- Update syntax to Ansible 2.4 #161 (thomasjpfan)
- add amazon linux testing #160 (rndmh3ro)
- Add support for Amazon Linux #158 (woneill)
- Don't create home for system accounts #156 (oakey-b1)
- Prevent disabling of filesystems via whitelist #153 (manuelprinz)
- Add kernel hardening settings from Ubuntu /etc/sysctl.d #150 (kravietz)
- Removal of core dump hardening configuration if core dumps are allowed #146 (martinbydefault)
- install and configure auditd - fix inspec package-08 #144 (rndmh3ro)
- add missing sysctl parameter #143 (rndmh3ro)
- update readme #139 (rndmh3ro)
- add modprobe template, control os-10 #138 (rndmh3ro)
- new task for delete netrc files, control os-09 #137 (rndmh3ro)
- add passwd task, control os-03 #136 (rndmh3ro)
- remove prelink package, control package-09 #135 (rndmh3ro)
- style update #134 (rndmh3ro)
- Remove deprecated include for static tasks and use instead import_tasks fix #131 #132 (HelioCampos)
- Fix ansible.cfg and use comment filter #130 (fazlearefin)
- install initramfs-tools #114 (rndmh3ro)
- omit empty variables #106 (rndmh3ro)
- Supports --check mode #93 (conorsch)
- Adds support for CentOS 7 #91 (conorsch)
- Docker #90 (rndmh3ro)
- debian 8 support #88 (rndmh3ro)
- Ufw manage defaults #85 (fitz123)
- replace ignore_errors to failed_when to suppress ugly error warnings #81 (fitz123)
- fix bare variables usage for loops #79 (fitz123)
- update platforms in meta-file #69 (rndmh3ro)
- add webhook for ansible galaxy #68 (rndmh3ro)
- Move sysctl vars to defaults #67 (rndmh3ro)
- make sys_uid and sys_gid configurable #62 (rndmh3ro)
- Ansible 2.0 support #59 (rndmh3ro)
- use inspec as test framework #58 (chris-rock)
- Packages as attributes #57 (rndmh3ro)
- Change categories to tags for upcoming ansible 2.0 #56 (rndmh3ro)
- Add SINGLE and PROMPT parameters. #55 (rndmh3ro)
- add changelog generator #54 (chris-rock)
Fixed bugs:
- Task "set 10.hardcore.conf perms to 0400 and root ownership" fails in check mode #313
- Inconsistent use of role vars/role defaults #284
- Is it safe to use on Debian 10? The build is failing. #281
- /etc/login.defs alters centos 7/8 default values #265
- Invalid Conditionals in user_accounts.yml #255
auth-system
related files are created for non-RHEL systems (e.g. Debian) #247- NSA website links are stale #227
- Running ansible on python3 throughs "TypeError: '<=' not supported between instances of 'str' and 'int'" #223
- [lots of] deprecation warnings in Ansible 2.8 #221
squash_actions
deprecation warning #218- login.defs.j2 template: ENV_PATH is missing ':' before variable substitution #202
- auditd causing v5.0 to fail on unprivileged LXC's #191
- Setting os_security_users_allow has no effect #175
- minimize_access: maximum recursion depth exceeded on Ansible 2.5 #171
- wrong permissions passwdqc #170
- 'sysctl_rhel_config' is undefined #167
- Update deprecated
include
statements #166 - Strongly recommend against disabling vfat by default #162
- bug in ufw.j2 template #151
- Add a "don't fail on error" switch ? #148
- System completely unresponsive after role execution #145
- Why is rsync removed? #141
- RHEL 7.4: Too many setuid bits removed #140
- Change system accounts not on the user provided ignore-list items are not JSON serializable #125
- playbook makes OS undetectable #124
- Centos7/RHEL7: Exec shield is enabled by default and not manageable anymore by sysctl.conf #118
- Could not find gem 'ruby (>= 2.1.0)' #116
- os_security_kernel_enable_sysrq is not implemented #115
- The task sysctl fails when /etc/initramfs-tools is not present #111
- The role fails when conditionally included #105
- Deprecation warning always_run #103
- CentOS 7 selinux dependencies #102
- ubuntu xenial warning during activate gpg-check for yum-repos #99
- rhel_system_auth.j2 is still using pam_passwdqc.so for CentOS 7 #98
- Centos 7.1 fails at [Change various sysctl-settings on rhel-hosts...] #74
- Enable pam_pwquality in rhel-family > 7 #73
- Hardening fails on Centos 7.1 at task 'minimize access' #71
- "irc" user always changed after reboot #53
- use touch for 10.hardcore.conf to avoid problems with dry-run #314 (schurzi)
- use touch with no date changes #310 (rndmh3ro)
- do not touch sysctl file to avoid idempotency problems #309 (rndmh3ro)
- replace module parameter fixed #297 (danielkubat)
- Addressing issue #255 #258 (ljkimmel)
- Fix #247, cleanup conditions #248 (fernandezcuesta)
- Fix error on applying the sysctl vars on containers #243 (ghost)
- Update location of NSA RHEL 5 Guide #235 (jaredledvina)
- Fix typo #212 (ruslo)
- Update modprobe to 0644 #211 (joshuatalb)
- Test Kitchen Vagrant Fixes #210 (joshuatalb)
- [readme] Update documentation link #207 (pmav99)
- fix ansible lint remarks #204 (rndmh3ro)
- add colon to user env paths - fix #202 #203 (rndmh3ro)
- add /usr/bin/su to suid_guid whitelist #199 (ccolic)
- ensure that permissions to su-binary are not restricted to root user and group only, if os_security_users_allow contains the value change_user #197 (szEvEz)
- do not install passwdqc on amazon linux #189 (rndmh3ro)
- add back run opts for debian 8 in travis #184 (rndmh3ro)
- Fix core dump config file creation when core dumps are disabled #182 (Normo)
- change minimize access method #181 (rndmh3ro)
- Fix errors produced by ansible-lint #159 (zbrojny120)
- replace single ticks with double ticks. fix #151 #152 (rndmh3ro)
- fixed tag #149 (martinbydefault)
- Remove rsync from package blacklist #142 (duk3luk3)
- Updates "tags" parameters on includes in main.yml #66 (conorsch)
- Suid set def var, fix #64 #63 (rndmh3ro)
Closed issues:
- Any planned support for RHEL/CentOS 8? #298
- Consider using find module instead of shell #293
- Optimize logical OR in when clause #292
- vfat added to dev-sec.conf, but efi is used #288
- The state of the galaxy release #269
- OpenSUSE Support #249
- ansible hardening fails on ubuntu 16.04 with msg": "ERROR! 'sysctl_rhel_config' is undefined #147
- Enhancement: Test with TestInfra and Molecule #128
- Enhancement: Pin python dependencies for development and testing #127
- Update readme to include baselines #122
- Error running on RHEL 7 due to syntax issues #112
- disable password age #109
- Permissions on /etc/shadow can lock out GUI users #86
- network related sysctl rewritten by ufw in ubuntu #82
- ansible >= 2.0 complains: Using bare variables is deprecated #78
- Hardening fails on Centos 7.1 at task 'remove suid/sgid bit from all binaries except in system and user whitelist' #72
- ansible 2.0 | "remove suid/sgid" task fails #64
- Custom sysctl #50
- Fix directory structure. #48
- pam auth update error #47
- ansible-os-hardening/tasks/minimize_access.yml #38
- Role configuration. vars/main.yml? #34
- Sysctl reloading #18
- Add conditions for disabling of ip forwarding #15
- Disable System Accounts #6
Merged pull requests:
- prettier markdown files action added #322 (danielkubat)
- adjust permissions on shadow file on suse #311 (rndmh3ro)
- fix fedora build #296 (rndmh3ro)
- do not blacklist used filesystems #289 (schurzi)
- move hidepid vars into defaults so they're overwritable #285 (rndmh3ro)
- install procps in debian so sysctl.conf exists #282 (rndmh3ro)
- move defaults to os-specific vars #157 (rndmh3ro)
- Converts set to JSON-serializable list #126 (pestaa)
- add more sysctl settings, allow overwriting #120 (rndmh3ro)
- remove execshield sysctl-parameter on rhel7 #119 (rndmh3ro)
- change shadow owner in debian systems #117 (rndmh3ro)
- Rhel7 #113 (tyrken)
- use new Docker images #110 (rndmh3ro)
- Don’t refer to this role as "playbook" in the role description #104 (ypid)
- update template #101 (rndmh3ro)
- fix deprecation warning for undefined error. #99 #100 (rndmh3ro)
- add rhel7 pam_pwquality. fix #73 #94 (rndmh3ro)
- Fix a formatting issue in readme. #92 (vivekagr)
- Permits overriding permissions on /etc/shadow #89 (conorsch)
- Release 3.0.0 #75 (rndmh3ro)
- Add explicit role-path to kitchen.yml #52 (rndmh3ro)
- Fix pam passwdqc template #51 (rndmh3ro)
- New dir layout #49 (rndmh3ro)
- remove duplicate "update pam" task #46 (fitz123)
- Fix stuck in case pam files was updated before by force update #45 (fitz123)
- Fix nologin shell path #44 (fitz123)
- improved travis-tests to cover more cases #42 (rndmh3ro)
- Update kitchen-ansible, remove separate debian install #40 (rndmh3ro)
- Add mode to su-binary task. Fix #38 #39 (rndmh3ro)
- update common kitchen.yml platforms (ansible), kitchen_debian.yml platforms (ansible) #37 (chris-rock)
- Change oneliner if-statements to be more readable #36 (rndmh3ro)
- Separate system-vars from editable vars. Fix #34 #35 (rndmh3ro)
- Create limits.d-directory if it does not exist. #33 (rndmh3ro)
- Add correct CONTRIB-file #32 (rndmh3ro)
- Add Ansible Galaxy badge #31 (rndmh3ro)
- Update readme, todo, changelog, vars #30 (rndmh3ro)
- List-cleanup and follow symlinks added #29 (rndmh3ro)
- Add module configuration #28 (rndmh3ro)
- Fix two sysctl-settings #27 (rndmh3ro)
- Add meta-files for Ansible Galaxy #26 (rndmh3ro)
- Disable System Accounts. Fix #6 #25 (rndmh3ro)
- Use changed_when to avoid changed tasks #24 (rndmh3ro)
- Delete authconfig-task on rhel-systems #23 (rndmh3ro)
- Add missing rhosts-include task #21 (rndmh3ro)
- Change sysctl-task. Fix #18 #20 (rndmh3ro)
- Add travis-support #17 (rndmh3ro)
- Add conditions for various tasks. Fix #15 #16 (rndmh3ro)
- fix configuration of playbook path #14 (chris-rock)
- Make tasks clearer #13 (rndmh3ro)
- Add remove suid/sgid function #12 (rndmh3ro)
- Add task to remove unused repos and pkgs #11 (rndmh3ro)
- Edit README to fit to os-hardening #10 (rndmh3ro)
- ignore RAs on Ipv6 #9 (rndmh3ro)
- Repair debian install script #8 (rndmh3ro)
- Separate tasks into multiple smaller files #7 (rndmh3ro)
- Enable gpg-check on all yum-repositories #5 (rndmh3ro)
- Change playbook-path to accommodate test-repo #4 (rndmh3ro)
- treat securetty config as an array #3 (arlimus)
- Add Securetty-support #2 (rndmh3ro)
- Add profile.conf configuration #1 (rndmh3ro)
* This Changelog was automatically generated by github_changelog_generator